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IN THE CLAIMS : 

Please find below a listing of all pending claims. The statuses of the claims are 
set forth in parentheses. For those currently amended claims, underlined emphasis 
indicates insertions and str i kcth rough emphasis (and/or double brackets) indicates 
deletions. 

1. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet^ based on 
measurement parameters first setting information for a plurality of setting items : 

judging whether the monitored communication has been b eing executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication judged to have been executed by the worm at the judging; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extractingT-aftd 

chang i ng the m e asurement parameters when the co m mu nicat i on i s judg e d to 

have been ex e cuted by the worm at th e ju d ging , 

wherein the acquiring includes acquiring information of the monitored 
communication , based on the measurement parameters changed at the changing, the 
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informa ti on on second setting information for the plurality of setting items after the 
monitored communication is judged to have been executed by the worm at the judging. 

2. (canceled) 

3. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet* based on 
measurement para meters first setting information for a plurality of setting items : 

judging whether the monitored communication has been executed by the worm 
based on the information acquired and a first predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication judged to have been executed by the worm at the judging;_and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extractingf-af^ 

changing the judgment cr i t e ri a when the co m m u nication is judged to ho v e b e en 

exec u t ed b y the worm at the judging, wherein 

the judging includes further judging whether the monitored communication 
judged to have boon executed by the worm at the judging has been executed by the 
worm after the monitored communication is judged to have been executed bv the worm 
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at the judging, based on the information acquired and the judgm e nt criteria changed at 
the changing a second predetermined judgment criteria . 

4. (previously presented) The computer-readable recording medium according to 
claim 1, wherein the judging includes judging that a communication from a computer 
that is in the predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number of 
destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

5. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packed based on 
measurement parameters first setting information for a plurality of setting items : 

first judging whether a computer in the predetermined network segment is 
infected by the worm based on the information acquired and a predetermined judgment 
criteria; 

second judging whether a plurality of computers in the predetermined network 
segment are infected by the worm; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication upon it being judged at the first judging that the computer is infected 
by the worm; and 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, wherein 

the second judging includes judging that a plurality of computers in the 
predetermined network segment are infected by the worm when all three conditions are 
satisfied, the three conditions being that 

a monitored communication from the computer in the predetermined network 
segment is judged to be infected by the worm at the first judging, 

a number of communication packets that are transmitted from the 
predetermined network segment to the outside becomes greater than a number of the 
communication packets transmitted from the predetermined network segment to the 
outside when the computer is judged to be infected by the worm at the first judging, 
and 

a number of destination addresses of the communication packets that are 
transmitted from the predetermined network segment to the outside becomes greater 
than a number of destination addresses of the communication packets transmitted from 
the predetermined network segment to the outside when the computer is judged to be 
infected by the worm at the first judging. 

6-7. (canceled) 

8. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 
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acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet* based on 
measurement pgramctcrs first setting information for a plurality of setting items : 

judging whether the monitored communication is executed by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication upon it being judged at the judging that the monitored communication 
is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting 

wherein the judging includes identifying a type of the worm executing the 
monitored communication by comparing features o f o firs t the monitored 
communication with features of a second communication executed by a worm that are 
recorded in advance , when the first communication is judged to be execut e d b y a 

9-12. (canceled) 

13. (currently amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet* based on 
measurement parameters first setting information for a plurality of setting items : 
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judging whether the monitored communication has been be i ng executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication judged to have been executed by the worm at the judging: and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extractingt-and 

chang i ng the measurement parameters when the communication is judged to 

have been executed by the worm at the judging , 

wherein the acquiring includes acquiring information of the monitored 
communication , based on the m ea surement parameters changed at the changing, the 
i nfor mati on o n second setting information for the plurality of setting items after the 
monitored communication js judged to have been executed by the worm at the judging. 

14. (canceled) 

15. (currently amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information of a monitored communication, the 
information being related to a traffic and a communication address of a communication 
packet* based on m easure ment parameters first setting information for a plurality of 
setting items : 

a judging unit that judges whether the monitored communication has been 
executed by the worm based on the information acquired and a predetermined 
judgment criteria; 
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a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication judged to have been executed by 
the worm by the judging unit; and 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unitT-and 

a setting ch an g i n g unit that changes the measurement par a m e t er s w hen the 

communication is judged to have been executed by the worm by the judging un i t , 
wherein 

the acquiring unit acquires information of the monitored communication , based 
on the measurement parameters changed by the sotting chang i ng un i t, the information 
en second setting information for the plurality of setting items after the monitored 
communicationjs judged to have been executed by the worm by the judging unit. 

16. (currently amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information of a monitored communication, the 
information being related to a traffic and a communication address of a communication 
packet* based on meas ure ment p a ramet ers first setting information for a plurality of 
setting items : 

a judging unit that judges whether the monitored communication has been 
executed by the worm based on the information acquired and a first predetermined 
judgment criteria; 
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a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication judged to have been executed by 
the worm by the judging unit: and 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unitraftd 

a setting changing unit that changes th e judgm en t crit e r i a wh e n th e 

communication i s judged to have been executed by the worm by the judging unit , 
wherein 

the judging unit further judges whether the monitored communication judged to 
have b ee n executed by the worm by the judging un i t has been executed by the worm 
after the monitored communication is judged to have been executed by the worm by 
the judging unit based on the information acquired by the acquiring unit and-the 
judgment criter i a changed by the setting changing uni t a second predetermined 
judgment criteria . 

17. (previously presented) The device according to claim 15, wherein the judging 
unit judges that a communication from a computer that is in the predetermined 
network segment is executed by the worm when 

there is an increase in number of communication packets as well as number of 
destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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18. (currently amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information of a monitored communication, the 
information being related to a traffic and a communication address of a communication 
packet^ based on measurement parameters first setting information for a plurality of 
setting items : 

a judging unit that judges at a first time whether a computer in the 
predetermined network segment is infected by the worm based on the information 
acquired and a predetermined judgment criteria, and judges at a second time whether 
a plurality of computers in the predetermined network segment are infected by the 
worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication upon it being judged at the first 
time by the judging unit that the computer is infected by the worm; 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unit, 

wherein the judging unit judges at the second time that a plurality of computers 
in the predetermined network segment are infected by the worm when all three 
conditions are satisfied, the three conditions being that 

a monitored communication from the computer in the predetermined network 
segment is judged at the first time to be infected by the worm, 

a number of communication packets that are transmitted from the 
predetermined network segment to the outside becomes greater than a number of the 
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communication packets transmitted from the predetermined network segment to the 
outside when the computer is judged at the first time to be infected by the worm, and 

a number of destination addresses of the communication packets that are 
transmitted from the predetermined network segment to the outside becomes greater 
than a number of destination addresses of the communication packets transmitted from 
the predetermined network segment to the outside when the computer is judged at the 
first time to be infected by the worm. 

19-21. (canceled) 

22. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet* based on 
me a su rem ent parameters first setting information for a plurality of setting items : 

judging whether the monitored communication has been executed by the worm 
based on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication judged to have been executed by the worm at the judging; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 
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wherein the extracting includes summing up a number of the communication 
packets for each port number, the communication packets being transmitted in the 
monitored communication when the commun i cation is judged to hove been ex e cute d by 
th e worm at th e judging being executed bv the worm , and extracting as the reference 
information, a most frequently appeared port number of the communication packets 
transmitted in the monitored communication judged to have been executed by the 
worm ot the judging being executed by the worm . 

23. (currently amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet^ based on 
measurement parameters first setting information for a plurality of setting items : 

judging whether the monitored communication has been executed by the worm 
based on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication judged to have been executed by the worm at the judging; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the communication 
packets for each port number, the communication packets being transmitted in the 
monitored communication when the communication is judged to have been executed bv 
the worm at the judg i ng being executed bv the worm , and extracting as the reference 
information, a most frequently appeared port number of the communication packets 
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transmitted in the monitored communication judged to have been executed by the 



24. (currently amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information of a monitored communication, the 
information being related to a traffic and a communication address of a communication 
packet^ based on m e asur emen t parameter s first setting information for a plurality of 
setting items ; 

a judging unit that judges whether the monitored communication has been 
executed by the worm based on the information acquired and a predetermined 
judgment criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication judged to have been executed by 
the worm by the judging unit; and 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unit, 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the monitored communication when the communication is judged to 




extracts, as the reference information, a most frequently appeared port number of the 
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communication packets transmitted in the monitored communication judged to hav e 

25. (currently amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform a process comprising : 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet* based on 
m e asurement parameters first setting information for a plurality of setting items ; 

judging whether the monitored communication is executed by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication upon it being judged at the judging that the monitored communication 
is executed by the worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network segment 
or transmitted to the predetermined network segment, a number of the communication 
packets transmitted in the monitored communication upon it being judged that the 
communication is executed by the worm at the judg i ng being executed bv the worm , 
and extracting, as the reference information, a direction of the monitored 
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communication wherein the number of the communication packets is over a threshold 
value. 

26. (canceled) 

27. (currently amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information of a monitored communication, the information being 
related to a traffic and a communication address of a communication packet, based on 
mcosurcmcnt parameters first setting information for a plurality of setting items : 

judging whether the monitored communication is executed by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the monitored 
communication upon it being judged at the judging that the monitored communication 
is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network segment 
or transmitted to the predetermined network segment, a number of the communication 
packets transmitted in the monitored communication upon it b eing judged that the 
communication i s executed by the worm at the judging being executed bv the worm , 
and extracting, as the reference information, a direction of the monitored 
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communication wherein the number of the communication packets is over a threshold 
value. 

28. (currently amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information of a monitored communication, the 
information being related to a traffic and a communication address of a communication 
packet* based on measurem en t pa ram eter s first setting information for a plurality of 
setting items : 

a judging unit that judges whether the monitored communication is executed by 
the worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication upon it being judged by the 
judging unit that the monitored communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unit, 

wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined 
network segment or transmitted to the predetermined network segment, a number of 
the communication packets transmitted in the monitored communication upon it be i ng 
judged that the communication is executed by the worm by the judging unit being 
executed bv the worm , and extracts, as the reference information, a direction of the 



16 



PATENT 



Docket No.: 1924.70199 
App. Ser. No.: 10/812,622 



monitored communication wherein the number of the communication packets is over a 
threshold value. 

29-33. (canceled) 

34. (currently amended) A device for cutting off a communication executed by a 
worm by monitoring the communication between a predetermined network segment 
and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a monitored communication has been 
executed by the worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication judged to have been executed by 
the worm; and 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unit, 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the monitored communication when the communication is judged to 
hnvo boon oxecutod bv the worm bv the wo rm judging u n it being executed bv the 
worm , and extracts, as the reference information, a most frequently appearing port 
number of the communication packets transmitted in the monitored communication 
judged to have boon executed by the worm by the worm judging un i t being executed 
by the worm . 
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35. (currently amended) A device for cutting off a communication executed by a 
worm by monitoring the communication between a predetermined network segment 
and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a monitored communication is 
executed by the worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the monitored communication upon it being judged by the worm 
judging unit that the monitored communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted between 
the predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted by the reference information 
extracting unit, 

wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined 
network segment or transmitted to the predetermined network segment, a number of 
the communication packets transmitted in the monitored communication upon it being 
judged by the worm judging unit that the commun i cation is exec uted by the wo rm 
being executed bv the worm , and extracts, as the reference information, a direction of 
the monitored communication wherein the number of the communication packets is 
over a threshold value. 

36-40. (canceled) 

41. (previously presented) The computer-readable recording medium according to 
claim 3, wherein the judging includes judging that a communication from a computer 
that is in the predetermined network segment is executed by the worm when 
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there is an increase in number of communication packets as well as number of 
destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

42. (canceled) 

43. (previously presented) The computer-readable recording medium according to 
claim 8, wherein the judging includes judging that a communication from a computer 
that is in the predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number of 
destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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